[thirdparty/squid.git] / src / auth / ntlm / auth_ntlm.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 29    NTLM Authenticator */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/ntlm/auth_ntlm.h"
#include "auth/ntlm/Scheme.h"
#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "SquidTime.h"
#include "Store.h"
#include "wordlist.h"

/* NTLM Scheme */
static AUTHSSTATS authenticateNTLMStats;

statefulhelper *ntlmauthenticators = NULL;
static int authntlm_initialised = 0;

static hash_table *proxy_auth_cache = NULL;

/*
 *
 * Private Functions
 *
 */

void
Auth::Ntlm::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/* free any allocated configuration details */
void
Auth::Ntlm::Config::done()
{
    Auth::Config::done();

    authntlm_initialised = 0;

    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    if (!shutting_down)
        return;

    delete ntlmauthenticators;
    ntlmauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}

bool
Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
{
    if (!Auth::Config::dump(entry, name, scheme))
        return false;

    storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
    return true;
}

Auth::Ntlm::Config::Config() : keep_alive(1)
{ }

void
Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
{
    if (strcmp(param_str, "program") == 0) {
        if (authenticateProgram)
            wordlistDestroy(&authenticateProgram);

        parse_wordlist(&authenticateProgram);

        requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
    } else if (strcmp(param_str, "keep_alive") == 0) {
        parse_onoff(&keep_alive);
    } else
        Auth::Config::parse(scheme, n_configured, param_str);
}

const char *
Auth::Ntlm::Config::type() const
{
    return Auth::Ntlm::Scheme::GetInstance()->type();
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Ntlm::Config::init(Auth::Config * scheme)
{
    if (authenticateProgram) {

        authntlm_initialised = 1;

        if (ntlmauthenticators == NULL)
            ntlmauthenticators = new statefulhelper("ntlmauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        ntlmauthenticators->cmdline = authenticateProgram;

        ntlmauthenticators->childs.updateLimits(authenticateChildren);

        ntlmauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(ntlmauthenticators);
    }
}

void
Auth::Ntlm::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("ntlmauthenticator",
                        "NTLM User Authenticator Stats",
                        authenticateNTLMStats, 0, 1);
}

bool
Auth::Ntlm::Config::active() const
{
    return authntlm_initialised == 1;
}

bool
Auth::Ntlm::Config::configured() const
{
    if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

/* NTLM Scheme */

void
Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == NULL) {
        debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

        if (!keep_alive) {
            /* drop the connection */
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
        assert(ntlm_request != NULL);

        switch (ntlm_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            request->flags.proxyKeepalive = false;
            /* fall through */

        case Auth::Ok:
            /* Special case: authentication finished OK but disallowed by ACL.
             * Need to start over to give the client another chance.
             */
            /* fall through */

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
            safe_free(ntlm_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
        }
    }
}

static void
authenticateNTLMStats(StoreEntry * sentry)
{
    helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
}

/*
 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
{
    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
    assert(auth_user_request->user() == NULL);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;

    /* all we have to do is identify that it's NTLM - the helper does the rest */
    debugs(29, 9, HERE << "decode: NTLM authentication");
    return auth_user_request;
}
Commit	Line	Data
94439e4e	1	/*
bbc27441	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
94439e4e	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
94439e4e	7	*/
94439e4e	8
bbc27441 AJ	9	/* DEBUG: section 29 NTLM Authenticator */
bbc27441 AJ	10
94439e4e	11	/* The functions in this file handle authentication.
	12	* They DO NOT perform access control or auditing.
	13	* See acl.c for access control and client_side.c for auditing */
	14
582c2af2	15	#include "squid.h"
3ad63615	16	#include "auth/Gadgets.h"
5817ee13	17	#include "auth/ntlm/auth_ntlm.h"
616cfc4c	18	#include "auth/ntlm/Scheme.h"
aa110616	19	#include "auth/ntlm/User.h"
616cfc4c	20	#include "auth/ntlm/UserRequest.h"
928f3421	21	#include "auth/State.h"
8a01b99e	22	#include "cache_cf.h"
a46d2c0e	23	#include "client_side.h"
a5bac1d2	24	#include "HttpHeaderTools.h"
924f73bc	25	#include "HttpReply.h"
a2ac85d9	26	#include "HttpRequest.h"
602d9612	27	#include "mgr/Registration.h"
cc192b50	28	#include "SquidTime.h"
602d9612 A	29	#include "Store.h"
602d9612 A	30	#include "wordlist.h"
c78aa667	31
94439e4e	32	/* NTLM Scheme */
94439e4e	33	static AUTHSSTATS authenticateNTLMStats;
94439e4e	34
928f3421	35	statefulhelper *ntlmauthenticators = NULL;
94439e4e	36	static int authntlm_initialised = 0;
94439e4e	37
94439e4e	38	static hash_table *proxy_auth_cache = NULL;
	39
	40	/*
	41	*
	42	* Private Functions
	43	*
	44	*/
	45
0bcb6908	46	void
372fccd6	47	Auth::Ntlm::Config::rotateHelpers()
0bcb6908 AJ	48	{
	49	/* schedule closure of existing helpers */
	50	if (ntlmauthenticators) {
	51	helperStatefulShutdown(ntlmauthenticators);
	52	}
	53
	54	/* NP: dynamic helper restart will ensure they start up again as needed. */
	55	}
	56
5817ee13	57	/* free any allocated configuration details */
f5691f9c	58	void
372fccd6	59	Auth::Ntlm::Config::done()
94439e4e	60	{
d4806c91 CT	61	Auth::Config::done();
d4806c91 CT	62
94439e4e	63	authntlm_initialised = 0;
62e76326	64
5817ee13 AJ	65	if (ntlmauthenticators) {
5817ee13 AJ	66	helperStatefulShutdown(ntlmauthenticators);
5817ee13	67	}
62e76326	68
94439e4e	69	if (!shutting_down)
62e76326	70	return;
62e76326	71
48d54e4d	72	delete ntlmauthenticators;
94439e4e	73	ntlmauthenticators = NULL;
62e76326	74
58ee2093 AJ	75	if (authenticateProgram)
58ee2093 AJ	76	wordlistDestroy(&authenticateProgram);
cdabe87d	77
372fccd6	78	debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
94439e4e	79	}
94439e4e	80
3616c90c AJ	81	bool
3616c90c AJ	82	Auth::Ntlm::Config::dump(StoreEntry * entry, const char name, Auth::Config scheme) const
94439e4e	83	{
3616c90c AJ	84	if (!Auth::Config::dump(entry, name, scheme))
3616c90c AJ	85	return false;
62e76326	86
3616c90c AJ	87	storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
3616c90c AJ	88	return true;
94439e4e	89	}
94439e4e	90
372fccd6	91	Auth::Ntlm::Config::Config() : keep_alive(1)
6bf4f823	92	{ }
62e76326	93
f5691f9c	94	void
372fccd6	95	Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
f5691f9c	96	{
a37d6070	97	if (strcmp(param_str, "program") == 0) {
58ee2093 AJ	98	if (authenticateProgram)
58ee2093 AJ	99	wordlistDestroy(&authenticateProgram);
62e76326	100
58ee2093	101	parse_wordlist(&authenticateProgram);
62e76326	102
58ee2093	103	requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
a37d6070	104	} else if (strcmp(param_str, "keep_alive") == 0) {
6bf4f823	105	parse_onoff(&keep_alive);
d4806c91 CT	106	} else
d4806c91 CT	107	Auth::Config::parse(scheme, n_configured, param_str);
94439e4e	108	}
94439e4e	109
f5691f9c	110	const char *
372fccd6	111	Auth::Ntlm::Config::type() const
94439e4e	112	{
d6374be6	113	return Auth::Ntlm::Scheme::GetInstance()->type();
94439e4e	114	}
	115
	116	/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
	117	* config file */
f5691f9c	118	void
372fccd6	119	Auth::Ntlm::Config::init(Auth::Config * scheme)
94439e4e	120	{
58ee2093	121	if (authenticateProgram) {
6bf4f823	122
62e76326	123	authntlm_initialised = 1;
	124
	125	if (ntlmauthenticators == NULL)
48d54e4d	126	ntlmauthenticators = new statefulhelper("ntlmauthenticator");
62e76326	127
62e76326	128	if (!proxy_auth_cache)
30abd221	129	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
62e76326	130
	131	assert(proxy_auth_cache);
	132
58ee2093	133	ntlmauthenticators->cmdline = authenticateProgram;
62e76326	134
1af735c7	135	ntlmauthenticators->childs.updateLimits(authenticateChildren);
62e76326	136
	137	ntlmauthenticators->ipc_type = IPC_STREAM;
	138
62e76326	139	helperStatefulOpenServers(ntlmauthenticators);
94439e4e	140	}
	141	}
	142
62ee09ca	143	void
372fccd6	144	Auth::Ntlm::Config::registerWithCacheManager(void)
62ee09ca	145	{
8822ebee	146	Mgr::RegisterAction("ntlmauthenticator",
d9fc6862 A	147	"NTLM User Authenticator Stats",
d9fc6862 A	148	authenticateNTLMStats, 0, 1);
62ee09ca	149	}
62ee09ca	150
f5691f9c	151	bool
372fccd6	152	Auth::Ntlm::Config::active() const
2d70df72	153	{
f5691f9c	154	return authntlm_initialised == 1;
2d70df72	155	}
2d70df72	156
f5691f9c	157	bool
372fccd6	158	Auth::Ntlm::Config::configured() const
94439e4e	159	{
58ee2093	160	if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
372fccd6	161	debugs(29, 9, HERE << "returning configured");
f5691f9c	162	return true;
2d70df72	163	}
62e76326	164
372fccd6	165	debugs(29, 9, HERE << "returning unconfigured");
f5691f9c	166	return false;
94439e4e	167	}
	168
	169	/* NTLM Scheme */
94439e4e	170
f5691f9c	171	void
c7baff40	172	Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, http_hdr_type hdrType, HttpRequest request)
94439e4e	173	{
58ee2093	174	if (!authenticateProgram)
6bf4f823	175	return;
62e76326	176
63a05fa3	177	/* Need keep-alive */
450fe1cb	178	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
26ac0430	179	return;
63a05fa3	180
6bf4f823	181	/* New request, no user details */
6bf4f823	182	if (auth_user_request == NULL) {
372fccd6	183	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	184	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	185
6bf4f823	186	if (!keep_alive) {
62e76326	187	/* drop the connection */
e857372a	188	request->flags.proxyKeepalive = false;
62e76326	189	}
6bf4f823	190	} else {
c7baff40	191	Auth::Ntlm::UserRequest ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest >(auth_user_request.getRaw());
3a11f20d	192	assert(ntlm_request != NULL);
3a11f20d	193
d232141d	194	switch (ntlm_request->user()->credentials()) {
62e76326	195
d87154ee	196	case Auth::Failed:
6bf4f823	197	/* here it makes sense to drop the connection, as auth is
6bf4f823	198	* tied to it, even if MAYBE the client could handle it - Kinkie */
e857372a	199	request->flags.proxyKeepalive = false;
6bf4f823	200	/* fall through */
94439e4e	201
d87154ee	202	case Auth::Ok:
6bf4f823	203	/* Special case: authentication finished OK but disallowed by ACL.
	204	* Need to start over to give the client another chance.
	205	*/
	206	/* fall through */
62e76326	207
d87154ee	208	case Auth::Unchecked:
6bf4f823	209	/* semantic change: do not drop the connection.
6bf4f823	210	* 2.5 implementation used to keep it open - Kinkie */
372fccd6	211	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	212	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	213	break;
62e76326	214
d87154ee	215	case Auth::Handshake:
6bf4f823	216	/* we're waiting for a response from the client. Pass it the blob */
372fccd6	217	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
18ec8500	218	httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
6bf4f823	219	safe_free(ntlm_request->server_blob);
6bf4f823	220	break;
62e76326	221
6bf4f823	222	default:
372fccd6	223	debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
6bf4f823	224	fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
	225	}
	226	}
	227	}
62e76326	228
94439e4e	229	static void
	230	authenticateNTLMStats(StoreEntry * sentry)
	231	{
9522b380	232	helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
94439e4e	233	}
94439e4e	234
94439e4e	235	/*
6bf4f823	236	* Decode a NTLM [Proxy-]Auth string, placing the results in the passed
94439e4e	237	* Auth_user structure.
94439e4e	238	*/
c7baff40	239	Auth::UserRequest::Pointer
d4806c91	240	Auth::Ntlm::Config::decode(char const proxy_auth, const char aRequestRealm)
94439e4e	241	{
d4806c91	242	Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
c7baff40	243	Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
f5691f9c	244	assert(auth_user_request->user() == NULL);
a33a428a	245
f5691f9c	246	auth_user_request->user(newUser);
616cfc4c	247	auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
94439e4e	248
94439e4e	249	/* all we have to do is identify that it's NTLM - the helper does the rest */
372fccd6	250	debugs(29, 9, HERE << "decode: NTLM authentication");
f5691f9c	251	return auth_user_request;
94439e4e	252	}